Shared-IP Zone Partitioning

The IP stack in a system supporting zones implements the separation
of network traffic between zones. Applications that receive IP traffic can
only receive traffic sent to the same zone.

Each logical interface on the system belongs to a specific zone, the
global zone by default. Logical network interfaces assigned to zones though
the zonecfg utility are used to communicate over the network.
Each stream and connection belongs to the zone of the process that opened
it.

Bindings between upper-layer streams and logical interfaces are restricted.
A stream can only establish bindings to logical interfaces in the same zone.
Likewise, packets from a logical interface can only be passed to upper-layer
streams in the same zone as the logical interface.

Each zone has its own set of binds. Each zone can be running the same
application listening on the same port number without binds failing because
the address is already in use. Each zone can run its own version of the following
services:

Internet services daemon with a full configuration file (see
the inetd(1M) man
page)

Zones other than the global zone have restricted access to the network.
The standard TCP and UDP socket interfaces are available, but SOCK_RAW socket
interfaces are restricted to Internet Control Message Protocol (ICMP). ICMP
is necessary for detecting and reporting network error conditions or using
the ping command.